Okay, the only way I could easy go is immediately return true from the
authenticate( HttpServletRequest request, HttpServletResponse response ) method,
build the tweaked org.apache.karaf.webconsole.branding-2.2.6.jar
and deploy it instead of regular.
Dirty but works.
I think you can configure the security in etc/jetty.xml, which is what the web console refers to.
If you do changes in etc/jetty.xml, I think the ESB need to be restarted.
I tried to modify jetty.xml with no success. I'd be happy if anyone can share an example.
On the other hand, AFAIK it is not good to modify security settings globally in common etc/etty.xml.